■ • f • 

Cryptocoiomunication system, transmission apparatus , and 
reception apparatus 

This application is based on an application No. 
5 2000-384835 filed in Japan, the content of which is hereby 
incorporated by reference . 

BACKGROUND OF THE INVENTION 

(1) Field of the Invention 

10 The present invention relates to an encryption technology 

used as an information security technology, and especially to 
a technology for detecting errors that occur in decrypting. 

(2) Description of the Related Art 

15 As data communication using a computer technology or a 

communication technology becomes widespread, 
cryptocommunication systems are becoming prevalent. 
Cryptocommunication enables data communication without 
revealing the communications to a third party who is not an 

20 intended party. 

Cryptosystems are used for realizing the 
cryptocommunication systems. In cryptosystems, an authentic 
encryption key is used in applying an encryption algorithm to 
plaintext for generating ciphertext, and an authentic 

25 decryption key is used in applying a decryption algorithm to 
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the ciphertext for generating decrypted text. In some 
cryptosystems, there is a possibility of generating decrypted 
text which is different from original plaintext. Hereinafter^ 
the phenomena in which generated decrypted text is different 
5 from its original plaintext is referred to as a ^'decryption 
error," and the cryptosystem in which this decryption error 
occurs is referred to as a ''decryption error vulnerable 
cryptosystem. " 

One example of the above-mentioned decryption error 

10 vulnerable cryptosystems is a NTRU cryptosystem. The NTRU 
cryptosystem, simply put, generates ciphertext by encrypting 
plaintext by using random numbers as parameters and an encryption 
key, and generates decrypted text by decrypting the ciphertext 
by using a decryption key. This cryptosystem, which uses random 

15 numbers as parameters, has a chance of obtaining different 
ciphertext from the same plaintext. 

For a detailed description of the NTRU cryptosystem, 
please refer to Jeffrey Hoffstein, Jill Pipher, and Joseph H. 
Silverman, "NTRU: A ring based public key cryptosystem, " Lecture 

20 Notes in Computer Science, 1423, pp. 267-288, Springer-Verlag, 
1998. 

In the cryptocommunication system using the NTRU 
cryptosystem, there is a possibility of obtaining different 
decrypted text from the original plaintext. Therefore, 
25 intended information is not insured to be transmitted to the 
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receivers . 

(First Conventional Example) 

In order to overcome the above stated problem, the 
following cryptocommunication system using the NTRU 
cryptosystemhasbeenproposed. This cryptocommunication system 
consists of an encrypting apparatus and a decrypting apparatus. 
The encrypting apparatus and the decrypting apparatus are 
connected to each other through a communication channel. 

The encrypting apparatus generates n random numbers ri, 

' ' • / and encrypts plaintext m by using an encryption 
key Kp stored in advance and the mentioned random numbers as 
parameters, in order to obtain n pieces of ciphertext ci, 

C2f ' ' ' f Cxi* 

Ci = E(m, Kp, ri) 
C2 = E(m, Kp, r2) 
• • • 

Cn = E(m, Kp, rn) 

Here, the equation C = E (M, K, R) shows that the ciphertext 
C is generated by encrypting the plaintext M by using the 
encryption key K and the random number R as parameters. 

Next, the encrypting apparatus transmits, to the 
decrypting apparatus, the generated n pieces of ciphertext Ci, 

C2, • • • , Cn through the communication channel. 

The decrypting apparatus receives, through the 



communication channel, the n pieces of ciphertext Ci, 02, • • ' , 

Cn/ and decrypts the received ciphertext ci, C2, * • • f 

Cn by using the decryption key Ks stored in advance, in order 

to obtain decrypted text m'l, m'2f * * ' f ni'n- 
5 m'l = D(ci, Ks) 

m'2 = D(C2/ Ks) 
• • • 

m'n = D(Cnf Ks) 

Next, the decrypting apparatus considers that a decryption 
10 error has occurred if a single component in the decrypted text 

m'l, m'2/ • • • , m' n is different from its corresponding original 
plaintext • 

This cryptocommunication system is inefficient in that 
the system increases communications, even if the system is 
15 capable of detecting the occurrence of decryption errors. In 
addition, there is a possibility of degrading the security for 
this cryptocommunication system, in which different random 
numbers are used as parameters for transmitting a plurality 
of pieces of ciphertext based on the same plaintext. 
20 This is due to the possibility that, from n equations, 

Ci = E (m, Kp, ri) 
C2 = E (m, Kp, r2) 
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Cn = E (m, Kp, rn) , 

the information on the plaintext m or on the random numbers 

r[l]^r[2]," • • , r [n] arelikely toberevealedtothirdparties. 

The encryption attack using this inherent disadvantage in the 
5 NTRU system is called ''multiple transmission attack." 

Specifically, it is known that the security is endangered 
when the decryption error detection is performed in the NTRU 
cryptosystem which is one of the detection error vulnerable 
cryptosystems - Please refer, for a detailed description about 
10 the multiple transmission attack, to Jeffrey Hoffstein, Jill 
Pipher, and Joseph H, Silverman, ''NTRU: A ring based public 
key cryptosystem,'' Lecture Notes in Computer Science, 1423, 
pp. 267-288, Springer-Verlag, 1998. 

As described above, the decryption error detection 
15 performed in the NTRU cryptosystem has a problem of increasing 
communications and lowering the security level. 

(Second Conventional Example) 

A Japanese Laid-Open Publication No. 2000-216773 
20 discloses the following technology for the purpose of providing 
a method and an apparatus for judging the correctness of the 
encrypted information in which receivers of the encrypted 
information can judge whether or not the decrypted information 
is correct. 

25 In this technology, a sender calculates a first hash value 
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of plaintext by using a predetermined hash value generation 
algorithm, and sends the first hash value with ciphertext 
resulting from encrypting the plaintext by using an encryption 
algorithm. Then, a receiver receives the ciphertext with the 
5 first hash value, generates decrypted text by decrypting the 
ciphertext, calculates a second hash value of the decrypted 
text by using the same hash value generation algorithm that 
was used for calculating the first hash value, compares the 
first hash value and the second hash value, and judges that 

10 the decrypted text is correct only when the first and the second 
hash values match. 

However, even when the above-mentioned conventional 
technologies are used, it is difficult to completely avoid third 
parties' attacks. A more secured cryptocommunication system 

15 is therefore desired. 

SUMMARY OF THE INVENTION 

The object of the present invention, in order to solve 
the above problem, is to provide a cryptocommunication system, 
20 a transmission apparatus, a reception apparatus, a method of 
cryptocommunication, a program for a cryptocommunication, and 
a recording medium on which the program is recorded, that are 
more secure. 

The object of the present invention is achieved by a 
25 cryptocommunication system including a transmission 
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apparatus and a reception apparatus. The transmission 
apparatus encrypts plaintext to generate ciphertext, performs 
a one-way operation on the plaintext to generate a first value, 
and transmits the ciphertext and the first value to the 
5 reception apparatus. The reception apparatus receives the 
ciphertext and the first value, decrypts the ciphertext to 
generate decrypted text, performs the one-way operation on 
the decrypted text to generate a second value, and judges 
that the decrypted text matches the plaintext when the second 

10 value and the first value match. The transmission apparatus 
includes: a first generating unit for generating first 
additional information; a first operation unit for performing 
an invertible operation on the plaintext and the first 
additional information to generate connected information; 

15 an encrypting unit for encrypting the connected information 
according to an encryption algorithm so as to generate the 
ciphertext; and a transmitting unit for transmitting the 
ciphertext. The reception apparatus comprises: a receiving 
unit for receiving the ciphertext; a second generating unit 

20 for generating second additional information which is dentical 
to the first additional information; a decrypting unit for 
decrypting the ciphertext according to a decryption algorithm, 
which is an inverse-conversion of the encryption algorithm, 
so as to generate decrypted connected information; and a second 

25 operation unit for performing an inverse operation of the 
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invertible operation on the decrypted connected information 
and the second additional information so as to generate the 
decrypted text . 

According to this structure, the transmission apparatus 
5 enables connected information to be generated by performing 
an invertible operation on the plaintext and on the first 
additional information, encrypted connected information to be 
generated by encrypting the connected information, and the 
encrypted connected information to be transmitted. The 

10 reception apparatus enables the connected information to be 
received, decrypted connected information to be generated by 
decrypting the received encrypted connected information, and 
decrypted text tobe generatedby performing an inverse operation 
of the invertible operation on the decrypted connected 

15 information and on the second additional information. This 
realizes a more secure cryptocommunication system than the 
conventional systems . 

Here, in the cryptocommunication system of the present 
invention, the second generating unit synchronizes with the 

20 first generation unit so as to generate the second additional 
information which is identical to the first additional 
information. 

According to this structure, the second generating unit 
synchronizes with the first generating unit in order to generate 
25 second additional information which is identical to the first 
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additional information, thereby enabling decrypted connected 
information to be obtained which has the same content as the 
connected information. 

Here, in the cryptocommunication system of the present 
5 invention, the first generating unit generates a random number, 
and sets the generated random number as the first additional 
information. 

According to this structure, the first generating unit 
can generate first additional information by using a random 

10 number, thereby generating different additional information 
for each communication. This makes it difficult to infer first 
additional information from encrypted connected information. 
Here, in the cryptocommunication system of the present invention, 
the invertible operation unit bit-connects the plaintext with 

15 the first additional information so as to generate the connected 
information, and the second operation unit deletes the second 
additional information from the decrypted connected information 
so as to generate the decrypted text. 

According to this structure, the invertible operation 

20 unit can generate connected information by bit-connecting the 
plaintext with the first additional information, and the inverse 
invertible operation unit can generate decrypted text by 
deleting the second additional information from the decrypted 
connected information. Therefore, correct decrypted text is 

25 assured tobe obtained from the decrypted connected information. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

These and other objects^ advantages and features of the 
present invention will become more apparent from the following 
5 detailed description when taken in conjunction with the 

accompanying drawings that illustrate a specific embodiment 
of the invention. In the drawings: 

Fig. 1 is a block diagram showing a structure of a 
cryptocommunication system 1; 
10 Fig. 2 is a block diagram showing a structure of an 

encrypting unit 105; 

Fig. 3 is ablockdiagramshowinga structure of a decrypting 
unit 202; 

Fig. 4 is a flowchart showing an action performed by a 
15 transmission apparatus 10, where the continuation thereof is 
shown in Fig. 5; 

Fig. 5 is a flowchart showing an action performed by the 
transmission apparatus 10, which is a continuation from Fig. 
4; 

20 Fig. 6 is a flowchart showing an action performed by a 

reception apparatus 20; 

Fig. 7 is an example of the conversion table used in the 
calculation method 6; 

Fig. 8 is a block diagram showing a structure of a 
25 cryptocommunication system lb which is a first modification 



example of the cryptocommunication system 1; 

Fig. 9 is a flowchart showing an action performed by the 
cryptocommunication system lb; 

Fig. 10 is a block diagram showing a structure of a 
5 cryptocommunication system Ic which is a second modification 
example of the cryptocommunication system 1; 

Fig. 11 is a flowchart showing an action performed by 
the cryptocommunication system Ic; 

Fig. 12 is a block diagram showing a structure of a 
10 cryptocommunication system Id which is a third modification 
example of the cryptocommunication system 1; 

Fig. 13 is a flowchart showing an action performed by 
the cryptocommunication system Id; and 

Fig. 14 is a table showing possible combinations between 
15 the modifications. 



DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
1. Cryptocommunication system 1 

The following is a description of a cryptocommunication 
20 system 1 which is one embodiment pertaining to the present 
invention. 



1.1 The structure of the cryptocommunication system 1 

A cryptocommunication system 1 is a system in which 
25 decryption error detection is enabled for the decryption error 
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vulnerable cryptocommunication systems. As shown in Fig. 1, 
the cryptocommunication system 1 consists of a transmission 
apparatus 10 and a reception apparatus 20, both of which are 
connected to each other through an internet 30. 
5 The cryptocommunication system 1 uses the NTRU 

cyrptosystem which is one of the decryption error vulnerable 
cryptosystems . Please refer to Jeffrey Hoff stein, Jill Pipher, 
and Joseph H. Silverman, ^'NTRU: A ring based public key 
cryptosystem, " Lecture Notes in Computer Science, 1423, pp. 

10 267-288, Springer-Verlag, 1998 for a detailed description about 
a method of generating NTRU cipher text , and a method of generating 
an encryption key and a decryption key for the NTRU cryptosystem. 

The transmission apparatus 10 generates ciphertext by 
applying, to the plaintext stored in advance, the encryption 

15 algorithm according to the NTRU cryptosystem, and transmits 
the generated ciphertext to the reception apparatus 20. The 
reception apparatus 20, in turn, receives the ciphertext, and 
generates decrypted text by applying, to the received ciphertext, 
the decryption algorithm according to the NTRU cryptosystem. 

20 

1.2 The structure of the transmission apparatus 10 

The transmission apparatus 10 consists of a plaintext 
storage 101, an additional information generation unit 102, 
an information adding unit 103, a one-way operation unit 104, 
25 an encrypting unit 105, and a transmitting unit 106. The 
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transmission apparatus 10 is concretely a computer system 
composed of a microprocessor, ROM, RAM, a hard disk unit, a 
display unit, a key board, a mouse, a communication unit, and 
the like . The RAM or the hard disk unit stores a computer program. 
5 The transmission apparatus 10 realizes its function by making 
the microprocessor work according to the computer program. 
(1) The plaintext storage 101 

The plaintext storage 101 stores plaintext m in advance. 
The plaintext m is composed of information with a fixed length. 
10 (2) The additional information generation unit 102 

The additional information generation unit 102 generates 
additional information Ra which is a random number with a 
predetermined bit length of rLen, and outputs the generated 
additional information Ra to the information adding unit 103. 
15 (3) The information adding unit 103 

The information adding unit 103 reads out the plaintext 
m from the plaintext storage 101, and receives the additional 
information Ra from the additional information generation unit 
102. 

20 Next, the information adding unit 103 connects the read 

plaintext m with the received additional information Ra by a 
bit-connecting method, so as to obtain resulting connected 
information F (m, Ra)=m||Ra. 

Here, the operator " I 1" signifies a bit-connecting. The 

25 bit-connecting represents a single value which is a result from 
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uniting two values, each being represented as a bit row. In 
an example assuming that m=10, rLen=5, and Ra=7, the bit row 
representation for the plaintext m is '"1010", and the bit row 
representation for the additional information Ra with a length 
5 of rLen is '"00111". Thus, the result from the bit-connecting 
is "'101000111," which means 327 in decimal notation. 

Next, the information adding unit 103 outputs the 
generated connected information F(m, Ra) to the encrypting unit 
105. j 

10 (4) The one-way operation unit 104 

The one-way operation unit 104 stores a hash function 
h which is a one-way operation. 

Here, the one-way operation is a function which is designed 
to calculate a value from an inputted value, and which makes 

15 it difficult to calculate the originally inputted value from 
the value. Further, an assumption is made about the hash function 
h used here that it is assured to be difficult enough to obtain 
a value for the plaintext m by using the value h (m) , and it 
is collide-free. For the details of the one-way operation, the 

20 hash function, the security of the hash function, and the 
collision-free charasteristic of the hash function, refer to 
Tatsuaki Okamoto, Hirosi Yamamoto, ''Gendai Ango" (Modern 
cryptography) , Series/Mathematics in Information Science, 
Sangyo-Tosho, 1997, pp. 56, and pp. 189-195. 

25 The one-way operation unit 104 reads out the plaintext 
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m from the plaintext storage 101, calculates a value h(m) from 
the read plaintext m by using the hash function h, and outputs 
the calculated value h(m) to the transmitting unit 106. 
(5) The encrypting unit 105 
5 As hown in FIG. 2, the encrypting unit 105 consists of 

a random number generation unit 1051, an encryption key storage 
1052, and an encryption function unit 1053. 

a. The encryption key storage unit 1052 

The encryption key storage unit 1052 stores an encryption 
10 key Kp in advance. 

b. The random number generation unit 1051 

The random number generation unit 1051 generates a random 
number r, using a rand ( ) which is a library function for the 
C language, for example, and outputs the generated random number 
15 r to the encryption function unit 1053. 

c. The encryption function unit 1053 

The encryption function unit 1053 includes an encryption 
algorithm dedicated to the NTRU encryption cryptosystem in 
advance . 

20 The encryption function unit 1053 receives a connected 

information F (m, Ra) from the information adding unit 103, 
receives a random number r from the random number generation 
unit 1051 , and reads out an encryption key Kp from the encryption 
key storage 1052. 

25 Next, the encryption function unit 1053, by using the 

15 . 



random number r and the read encryption key Kp, encrypts the 
received connected information F{m,Ra) according to the 
encryption algorithm, so as to generate encrypted connected 
information E (F(m, Ra), Kp, r) , and outputs the generated 
5 encrypted connected information E{F{m, Ra) , Kp, r) to the 
transmitting unit 106- 

(6) The transmitting unit 106 

The transmitting unit 106 receives the encrypted connected 
information E (F(m, Ra), Kp, r) and the value h (m) , and transmits 
10 the received encrypted connected information E (F(m, Ra) , Kp, 
r) and value h(m) to the reception apparatus 20 through the 
internet 30 . 

1.3 The structure of the reception apparatus 20 

The reception apparatus 20 consists of a receiving unit 

15 201, a decrypting unit 202, an information removing unit 203, 
a one-way operation unit 204, a comparison (comparing) unit 
205, adecrypted text storage 206, and a comparison result storage 
207 . The reception apparatus 20 is specif ically the same computer 
system as the transmission apparatus 10. 

20 (1) The receiving unit 201 

The receiving unit 201 receives, from the transmission 
apparatus 10, the encrypted connected information E (F(m, Ra), 
Kp, r) and the value h(m) through the internet 30, and outputs 
the received encrypted connected information E to the decrypting 

25 unit 202, and outputs the received value h(m) to the comparison 
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unit 205. 

(2) The decrypting unit 202 

As shown in FIG, 3, the decrypting unit 202 consists of 
a decryption key storage 2021 and a decryption function unit 
5 2022. 

a. The decryption key storage 2021 

The decryption key storage unit 2021 stores a decryption 
key Ks in advance. 

b. The decryption function unit 2022 

10 The decryption function unit 2022 stores a decryption 

algorithm which is an inversed form of the encryption algorithm 
which is included in the encryption function unit 1053. 

The decryption function unit 2022 receives the encrypted 
connected information E(F(m, Ra), Kp, r) from the receiving 

15 unit 201, and reads out the decryption key Ks from the decryption 
key storage 2021. 

Next, the decryption function unit 2022, by using the 
read decryption key Ks, decrypts the received encrypted 
connected information E (F (m, Ra) , Kp, r ) according to the 

20 decryption algorithm, so as to generate a decrypted connected 
information D (E(F(m, Ra), Kp, r) , Ks), and outputs the decrypted 
connected information to the information removing unit 203. 

(3) The information removing unit 203 

The information removing unit 203 stores a bit length 
25 rLen in advance. 



17 



The information removing unit 203 receives the decrypted 
connected information D(E(F(m, Ra) , Kp, r) , Ks) from the 
decrypting unit 202, removes the additional information Ra from 
the decrypted connected information, by removing a bit row of 
5 the rLen bit length from the end of the received decrypted 
connected information D(E(F(m, Ra) , Kp, r) , Ks), generates 
decrypted text from the remaining information after the 
additional information Ra is removed from the decrypted 
connected information, and outputs the generated decrypted text 
10 m' to the one-way operation unit 204. The information removing 
unit 203 also writes the generated decrypted text m' on the 
decrypted text storage 206. 

(4) The one-way operation unit 204 

The one-way operation unit 204 stores, in advance, the 
15 same hash function h which is included in the one-way operation 
unit 104. 

The one-way operation unit 204 receives the decrypted 
text m' from the information removing unit 203, hashes the 
received decrypted text m' according to the hash function h 
20 so as to generate a functional value h (m' ) , and outputs the 
value h(m') to the comparison unit 205. 

(5) The comparison unit 205 

The comparison unit 205 receives the value h (m) from the 
receivingunit 201, and the value h (m' ) from the one-way operation 
25 unit 204. 

18 



Next, the comparison unit 205 compares the value h (m) 
with the value h(m' ) , judges whether the two values match, and 
generates a comparison result j which shows whether these values 
match or do not match. Specifically, the comparison unit 205, 
when these values match, generates a comparison result which 
shows j=l, and wh.en these values do not match, generates a 
comparison result which shows j=0. The comparison unit 205 
writes the generated comparison result j on the comparison result 
storage 207. 

(6) The decrypted text storage 206 

The decrypted text storage 206 has an area for storing 
decrypted text. 

(7) The comparison result storage 207 

The comparison result storage 207 has an area for storing 
the comparison result j . 

1.4 The action of the transmission apparatus 10 

The following is a description of the action (operation) 
that the transmission apparatus 10 performs, with reference 
to the flowcharts shown in Fig. 4 and Fig. 5. 

The additional information generation unit 102 generates 
additional information Ra, and outputs the generated additional 
information Ra to the information adding unit 103 (Step SlOl) . 

Next, the information adding unit 103 reads out the 
plaintext m from the plaintext storage 101 (stepS102), receives 
the additional information Ra from the additional information 
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generation unit 102 (step S103), generates connected 
information F(m, Ra) by uniting the plaintext m with the 
additional information Ra, and outputs the generated connected 
information F(m, Ra) to the encrypting unit 105 (step S104) • 
5 Next, the encrypting unit 105 receives the connected 

information F(m, Ra), generates encrypted connected information 
E(F(m, Ra) , Kp, r) by applying the encrypting algorithm E to 
the received connected information F(m, Ra) (step S105), and 
outputs the generated encrypted connected information E ( F (m, Ra ) , 

10 Kp, r) to the transmitting unit 106 (step S106) . 

Next, the one-way operation unit 104 reads out the 
plaintext m from the plaintext storage 101 (step S107), 
calculates a value h (m) from the plaintext m by using the hash 
function h (step S108), and outputs the calculated value h(m) 

15 to the transmitting unit 106 (step S109) . 

The transmitting unit 106 receives the encrypted connected 
information E (F (m, Ra) , Kp, r) and the value h (m) , and transmits, 
through the internet 30, the received encrypted connected 
information and the value h(m) to the reception apparatus (step 

20 SllO) . 

1.5 The action that the reception apparatus 20 performs 

The following is a description of the action that the 
reception apparatus 20 performs, with reference to the 
flow-chart shown in Fig. 6. 
25 The receiving unit 201 receives, from the transmission 
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apparatus 10, the encrypted connected information E(F(m^Ra), 
Kp,r) and the value h{m) through the internet 30 (step S151), 
outputs the received encrypted connected information to the 
decrypting unit 202, and outputs the received value h(m) to 
5 the comparison unit 205 (step S152) . 

The decrypting unit 202 receives the encrypted connected 
information E (F (m, Ra), Kp, r) , generates decrypted connected 
information D(E(F(m, Ra), Kp, r) ) by applying the decryption 
algorithm D to the received encrypted connected information 
10 E(F(m,Ra), Kp,r) (step S153), and outputs the decrypted 

connected information to the information removing unit 203 (step 
S154) . 

The information removing unit 203 receives the decrypted 
connected information D (E (F (m, Ra) , Kp, r) ) , removes the 

15 additional information Ra from the received decrypted connected 
information so as to generate decrypted text m' (step S155), 
outputs the generated decrypted text m' to the one-way operation 
unit 204, and writes the generated decrypted text m' on the 
decrypted text storage 206 (step S156) . 

20 The one-way operation unit 204 receives the decrypted 

text m' , hashes the received decrypted text m' according to 
the hash function h so as to calculate a value h (m' ) , and outputs 
the calculated value h (m' ) to the comparing unit 205 (stepS157). 
The comparing unit 205 receives the value h(m) and the 

25 value h(m' ) , compares the two values to judge whether the two 
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values match, generates a comparison result j either showing 
that the values match or do not match, and writes the generated 
comparison result j on the comparison result storage 207 (step 
S158) . 

5 1-6 The comparison of action between the embodiment and the 
conventional examples 

The following is a description of decryption error 
detection according to the embodiment of the present invention. 
The decryption error detection of the present invention is then 
10 compared with those used in the conventional technologies. 

When there is not a decryption error, the comparison result 
j which is to be outputted from the comparison unit 205 of the 
reception apparatus 20 is always 1. 

The possibility that the comparison result j is 1, that 
15 is, the possibility that h(m') generated from the one-way 
operation unit 204 of the reception apparatus 20 happens to 
be equal to (i.e. match) h(m) generated from the one-way operation 
unit 104 of the transmission apparatus 10 is as follows: 
For the one-way operation unit 104 and the one-way 
20 operation unit 204 using the hash function outputting a hash 
value of the length of k bits, there are 2^ ways of hash value 
with k bits. Therefore, the possibility thereof is 2"^. 

Therefore, if there is actually a decryption error, the 
possibility that the decryption error is detected by examining 
25 the comparison result j generated by the reception apparatus 
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20 is 1-2"*'. 

For example, when it is assumed that a hash function is 
SHA-1, the SHA-1 has at least 160 bits of output. Therefore, 
the possibility will be l-2~^^^' which means that almost all the 
5 detection errors can be detected- 

Moreover, the communications through the internet 30 is 
a sum of the bit length of the ciphertext outputted from the 
encrypting unit 105 and the bit length of the hash value h' (m) 
outputted from the one-way operation unit 104, Generally 
10 speaking, the output bit length for a hash function is smaller 
than that for inputted data. Therefore, it is unlikely that 
the communications in this example is more than twice as many 
as the output bit length for the ciphertext. 

For example, when the hash function to be used is SHA-1, 
15 this holds true since most cryptosystems including the NTRU 
cryptosystem use a ciphertext length of 160 bits or more. 

The communications in the data cryptosystem according 
to the first conventional has several times as many as the output 
bits length of the ciphertext. Thus, it can be concluded that 
20 the communications is reduced for the present embodiment, 
therefore enhancing the communication efficiency. 

Further, as for security considerations, the present 
embodiment makes it difficult to infer the inputted value from 
the outputted value. Moreover, the present embodiment is not 
25 designed, unlike the first conventional example, to transmit 



the same plaintext more than one time. Therefore, an adequate 
security level is insured in the present embodiment . In addition, 
in a case in which the protocol is adopted for re-transmitting 
the same data again by a re-transmission request, after the 
5 decryption error detection is performed, the present embodiment 
is more resistant to the multiple transmission attack than the 
data cryptosystem described in the first conventional example, 
since the present embodiment adds a random number to plaintext 
before encrypting . 

10 Moreover, the conventional technology encrypts plaintext 

from its intact condition. This increases the possibility of 
being decryptedby a third party who intercepts the communication 
channel, when the sender resends, upon request from the receiver, 
ciphertext that is generated from the same plaintext. That is, 

15 there is a possibility that a third party can intercept and 
decrypt the several pieces of ciphertext into the plaintext. 
(This phenomenon is called multiple transmission attack as is 
mentioned in the first conventional example.) 

On the contrary, the present embodiment is able to set 

20 different additional information Ra for each communication. 
This enables to create a different m | | Ra value for same plaintext 
each time the sender has to resend ciphertext. This reduces 
the possibility of being illegally decrypted by a third party 
attempting to perform a multiple transmission attack. 

25 Moreover, the low transmission quality of the transmission 
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channel enables a difference to be detected between the original 
plaintext and the decrypted text, when the bit is lost or garbled, 
just as mentioned in the above. 

5 2. Modifications of the cryptocommunication system 1 

The following is a description of modifications for the 
cryptocommunication system 1. 

2.1 Modifications on the additional information 
10 In the cryptocommunication system 1, the additional 

information generation unit 102 is to generate additional 
information Ra which is a random number. However, it is also 
possible to replace the additional information Ra with time 
stamp information or counter information. To summarize, the 
15 additional information that is generated by the additional 
information generation unit 102 can be any type of information 
as long as such information yields a different value every time 
it is used. 

The time stamp information represents a current time when 
20 the additional information generation unit 102 generates a piece 
of additional information, and is specifically composed of 
information showing year, month, day, hour, minute, second, 
and millisecond, in a fixed length. 

The counter information is numerical information in 
25 fixed digits, and is designed to add 1 every time it is used. 

25 



2.2 Modifications for calculating the connected information 
F(m; Ra) 

In the cryptocommunication system 1, the information 
5 adding unit 103 calculates connected information F (m, Ra)=m| |Ra, 
by uniting the plaintext m with the additional information Ra, 
However, the calculation method can be other than this method 
if it is invertible in such a way that m can be converted in 
the reverse direction based on the additional information. 
10 Examples of the other calculation methods are explained 

below including the calculation method of the embodiment. 

In order to extract only the plaintext by removing the 
additional information from the connected information, an 
inverse operation is performed. 
15 (1) Calculation method 1 

The calculation method 1 is expressed as connected 
information F(m,Ra) = m||Ra, where M " signifies a 
bit-connecting. This is a calculation for obtaining plaintext 
for the embodiment. 
20 Note that an expression ''connected information 

F(m,Ra)=Ra| |m" can be alternatively used for the expression 
described above. 

Further, the plaintext m is divided into several pieces 
of partial plaintext information, each having length of 4 bits. 
25 In the same way, the additional information is also divided 
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into several pieces of partial additional information, each 
having length of 4 bits. Then, connected information may be 
obtained by uniting the pieces of partial plaintext information 
and the pieces of partial additional information alternately. 
5 Generally speaking, a length of plaintext m is greater than 
a length of additional information. Therefore, the connected 
information usually ends with partial plaintext information, 

(2) Calculation method 2 

The calculation method 2 is expressed as '^connected 
10 information F (m, Ra) =m( + )Ra, "where " ( + ) " signifies an exclusive 
OR, with its inverse operation being expressed as ''decrypted 
text m' = connected information F{ + ) Ra." 

(3) Calculation method 3 

The calculation method 3 is expressed as "connected 
15 information F (m, Ra) =m+Ra, " with its inverse operation being 
expressed as ''decrypted text m'=connected information F-Ra," 

(4) Calculation method 4 

The calculation method 4 is expressed as "connected 

information F (m, Ra) =mXRa modp" where p is a prime number greater 
20 than m. 

The inverse operation is performed as follows: 
Decrypted text m' = connected information F/Ra mod p 

(5) Calculation method 5 

The calculation method 5 is expressed as "connected 
25 information F (m, Ra) =BitPerm [Ra](m)," where BitPerm [Ra] (m) 
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is an operation for replacing the bit expression m based on 
Ra. 

The specific operation methods are shown in the following: 
(5-1 ) Calculation method 5-1 
5 This expression is to bit-rotate m by Ra bits. 

For example, if m is assumed to be ''1111000011110000", 
and Ra is assumed to be Ra =3 (in decimal notation), then the 
m after replacement can be expressed as m=1000011110000111 . 

Here, the reverse bit rotation is also possible. 
10 The inverse operation is performed by rotating the 

connected information F in a reverse direction by Ra bits. 
(5-2 ) Calculation method 5-2 

In this method, m is replaced according to the calculation 
algorithm. In other words, an operation is performed first by 
15 making Ra an inputted value, and then m is replaced based on 
the calculation result. 

The above-described two calculation method is described 
by using the following examples, 
(example) 

20 Ra is assumed to be 128-bit-length . The hash value of 

16-bit-length is calculated from Ra by using a hash function. 
Next, m is bit-rotated by the obtained hash value as shown in 
the calculation method 5-1. 

The inverse operation is performed as follows: 

25 The connected information F is replaced according to the 



calculation algorithm. In other words, the operation is 
performedby making the Ra an inputted value . Then, the connected 
information F is replaced based on the operation result, in 
order to obtain decrypted text m' . 
5 (example) 

Ra is assumed to be 128-bit-length. A 16-bit-length hash 
value is calculated from Ra by using a hash function. Next, 
as the calculation method 5-1, the connected information F is 
bit-rotated in a reverse direction by the obtained hash value. 

10 (5-3) calculation method 5-3 

In the calculation method 5-3, several pieces of partial 
information are generated by dividing m into 4 bit length . Next , 
each piece of partial information is replaced by using the 
replacement table for 4 input-output bit length corresponding 

15 to Ra. 

Here, the replacement table includes 16 sets 
before-conversion bit row with 4 bit length, and the 
corresponding after-conversion bit row with 4 bit length. 

In the replacement table for Ra of a certain value (e.g. 
20 "'I"), 16 before-conversion bit rows are expressed as 0000, 0001, 

0010, • • ' , 1110, andllll. The corresponding 16 after-conversion 

bit rows are 1111, 1110, 1101, • • • , 0001 and 0000. 

For a different value of Ra (e.g. 2), the replacement 
table corresponding thereto has 16 after-conversion bit rows: 
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1111, 1110, 1101, • • • , 0000, and 0001. 

In the above fashion, more than one type of replacement 
table is made possible for each value of Ra. 

The inverse operation is performed as follows. 
5 Connected information F is divided into 4 bits, in order 

to generate several pieces of partial connected information. 
Next, the replacement in a reverse direction is performed for 
each piece of partial connected information by using the 
replacement table for 4 input-output bit length corresponding 
10 to a Ra. 

(6) Calculation method 6 

The calculation method 6 is expressed as ^'connected 
information F (m, Ra) =Tab [Ra] (m) , " where Tab[Ra](m) means to 
convert m according to the conversion table Tab. 
15 For example, when m is assumed to have 8-bit-length, each 

m is converted according to the table Tab as shown in Fig. 7 
which is stored for each Ra. The conversion table Tab includes 
256 sets of 8-bit value and 8-bit value. 

For an example in which m=l, plaintext m is converted 
20 into 39 according to the conversion table Tab shown in Fig. 
7. 

The inverse operation is performed as follows: 
Connected information F is converted in the reverse 
direction to the above, according to the conversion table Tab. 

25 
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2.3 Modification examples of the cryptocommunication system 
1 in which additional information is shared 

The following is a description on modification examples 
for the cyrptocommunication system 1 in which additional 
5 information is shared. 

(1) A first modification example 

As a first modification example, a cryptocommunication 
system lb is described which is a modified form of the 
cryptocommunication system 1. 
10 (A structure of the cryptocommunication system lb) 

The cryptocommunication system lb consists of a transmission 
apparatus 10b and a reception apparatus 20b, as shown in Fig. 
8. 

The transmission apparatus 10b and the reception apparatus 
15 20b each have the same structure as the transmission apparatus 
10 and the reception apparatus 20, respectively, that constitute 
the cryptocommunication system 1 . The following is a description 
of the transmission apparatus 10b and the reception apparatus 
20b, with an emphasis on the difference between the transmission 
20 apparatus 10 and the reception apparatus 20. 

The transmission apparatus 10b is further equipped with 
a synchronizing unit 107. In addition, the transmission 
apparatus 10b is equipped with an additional information 
generation unit 102b instead of the additional information 
25 generation unit 102 which the cryptocommunication system 1 has . 
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In addition, the reception apparatus 20b is further equipped 
with a synchronizing unit 208 and an additional information 
generation unit 209. The synchronizing unit 107 and the 
synchronizing unit 208 are connected to each other through the 
5 dedicated line 40b. 

The synchronizing unit 107 generates a random number XR, 
and outputs the generated random number XR through the dedicated 
line 40b to the synchronizing unit 208. The synchronizing unit 
107 further outputs the generated random number XR to the 

10 additional information generation unit 102b. 

The additional information generation unit 102b/ upon 
receiving the random number XR from the synchronizing unit 107, 
generates additional information Ra by using the received random 
number XR, and outputs the generated additional information 

15 Ra to the information adding unit 103. Here, an assumption is 
made that the random number XR is used as the additional 
information Ra without being processed, which is one example 
of generating additional information Ra from the random number 
XR. 

20 The synchronizing unit 208 receives the additional 

information XR through the dedicated line 40b, and outputs the 
received additional information XR to the additional 
information generation unit 209. 

The additional information generation unit 209, upon 

25 receiving the random number XR from the synchronizing unit 208, 



generates additional information Ra by using the received random 
number XR, and outputs the generated additional information 
Ra to the information removing unit 203 • Here, an assumption 
is made that the random number XR is used as the additional 
5 information Ra without being processed, which is one example 
of generating additional information Ra from the random number 
XR. 

(Action of the cryptocommunication system lb) 

The action that the cryptocommunication system lb performs 

10 is described in the following with reference to the flowchart 
shown in Fig. 9. 

Note that the focus here is on the differences between 
the cryptocommunication systems lb and 1, since most of the 
action is the same between the two systems. 

15 The synchronizing unit 107 generates a random number XR 

(Step S201) , and outputs the generated random number XR through 
the dedicated line 4 0b to the synchronizing unit 208 (Step S202) . 
The synchronizing unit 107 further outputs the generated random 
number XR to the additional information generation unit 102b 

20 (step S203) . 

The additional information generation unit 102b, upon 
receiving the random number XR from the synchronizing unit 107, 
generates additional information Ra by using the received random 
number XR, and outputs the generated additional information 

25 Ra to the information adding unit 103 (step S203) . 
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The synchronizing unit 208 receives the random number 
through the dedicated line 40b, and outputs the received random 
number XR to the additional information generation unit 209 
(step S202) . 

5 The additional information generation unit 209, upon 

receiving the random number XR, generates additional 
information Ra by using the received random number XR (step 

5204) , and outputs the generated additional information Ra to 
the information removing unit 203 (step S205) . The information 

10 removing unit 203 receives the additional information Ra (step 

5205) , and generates decrypted text m' from decrypted connected 
information by using the received additional information Ra 
(step S206) . 

(2) A second modification example 
15 A cryptocommunication system Ic is described which is 

a second modification example of the cryptocommunication system 
1. 

(A structure of the cryptocommunication system Ic) 

The cryptocommunication system Ic consists of a 
20 transmission apparatus 10c and a reception apparatus 20c, as 
shown in Fig. 10* 

The transmission apparatus 10c and the reception apparatus 
20c each have the same structure as the transmission apparatus 
10 and the reception apparatus 20 for the cryptocommunication 
25 system 1. 
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The transmission apparatus 10c, instead of the additional 
information generation unit 102 and the transmitting unit 106, 
is equipped with an additional information generation unit 102c 
and a transmitting unit 106c. The reception apparatus 20c, 
instead of the information removing unit 203 and the receiving 
unit 201, is equipped with an information removing unit 203c 
and a receiving unit 201c. 

The additional information generation unit 102c, the 
transmitting unit 106c, the information removing unit 203c, 
and the receiving unit 201c each have the same structure as 
the additional information generation unit 102, the 
transmitting unit 106, the information removing unit 203, and 
the receiving unit 201, respectively. Therefore, the focus in 
the following description will be on the differences there 
between. 

The additional information generation unit 102c outputs 
the generated additional information Ra to the transmitting 
unit 106c. 

The transmitting unit 106c receives the additional 
information Ra from the additional information generation unit 
102c, and transmits the received additional information Ra to 
the reception apparatus 20c through the internet 30. 

The receiving unit 201c receives the additional 
information Ra through the internet 30 from the transmission 
apparatus 10c, and outputs the received additional information 
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Ra to the information removing unit 203c. 

The information removing unit 203c receives the additional 
information Ra from the receiving unit 201^ and generates 
decrypted text m' from decrypted connected information by using 
5 the received additional information Ra. 

(Action of the cryptocommunication system Ic) 

The action that the cryptocommunication system Ic per forms 
is described in the following with reference to the flowchart 
shown in Fig. 11. 
10 Note that the focus will be on the differences between 

the two systems, since the most of the action of the 
cryptocommunication system Ic is the same as the 
cryptocommunication system 1. 

The additional information generation unit 102c generates 
15 additional information Ra, and outputs the generated additional 
information Ra to the transmitting unit 106c (step S221) . 

The transmitting unit 106c receives the additional 
information Ra from the additional information generation unit 
102c, and transmits the received additional information Ra 
20 through the internet 30 to the reception apparatus 20c {step 
S222) . 

The receiving unit 201c receives the additional 
information Ra through the internet 30 from the transmission 
apparatus 10c, and outputs the received additional information 
25 Ra to the information removing unit 203c (step S222) . 
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The information removing unit 203c receives the additional 
information Ra from the receiving unit 201c (step S223), and 
generates decrypted text m' from the decryption connected 
information by using the received additional information Ra 
5 (step S224) . 

(3) A third modification example 

The following is a description of a cryptocommunication 
system Id which is a third modification example of the 
cryptocommunication system 1. 
10 (A structure of the cryptocommunication system Id) 

The cryptocommunication system Id consists of a 
transmission apparatus lOd and a reception apparatus 20d, as 
shown in Fig. 12. 

The transmission apparatus lOd and the reception apparatus 
15 20d each have the same structure as the transmission apparatus 
10 and the reception apparatus 20 that compose the 
cryptocommunication system 1. 

The transmission apparatus lOd , instead of the additional 
information generation unit 102, the encrypting unit 105, and 
20 the transmitting unit 106, is equipped with an additional 
information generation unit 102d, an encrypting unit 105d, and 
a transmitting unit 106d. The reception apparatus 20d, instead 
of the decrypting unit 202, the information removing unit 203, 
and the receiving unit 201, is equipped with a decrypting unit 
25 202d, an information removing unit 203d, and a receiving unit 



201d. 

The additional information generation unit 102d, the 
encrypting unit 105d, the transmitting unit 106d, the decrypting 
unit 202d, the information removing unit 203d, and the receiving 
5 unit 201d, each have the same structure as the additional 
information generation unit 102, the encrypting unit 105, the 
transmitting unit 106, the decrypting unit 202, the information 
removing unit 203, and the receiving unit 201, respectively. 
The following description focuses on the differences 

10 therebetween. 

The additional information generation unit 102d generates 
additional information Ra, and outputs the generated additional 
information Ra to the encrypting unit 105d. 

The encrypting unit 105d, upon receiving the additional 

15 information Ra from the additional information generation unit 
102d, applies an encryption algorithm to the received additional 
information Ra, so as to generate encrypted additional 
information E (Ra, Kp, r2) . Here, r2 is a random number as r . Next, 
the encrypting unit 105d outputs the generated encrypted 

20 additional information E (Ra, Kp, r2) to the transmitting unit 
106d. 

The transmitting unit 106d receives the encrypted 
additional information E(Ra,Kp,r2) from the encrypting unit 
105d, and transmits the received encrypted additional 
25 informationE (Ra,Kp,r2) through the internet 30 to the reception 



apparatus 20d. 

The receiving unit 201d receives, through the internet 
30, the encrypted additional information E(Ra,Kp,r2) from the 
transmitting unit 106d, and outputs the received encrypted 
5 additional information E (Ra, Kp, r2) to the decrypting unit 202d. 

The decrypt ing unit 2 02d receives the encrypted additional 
information E(Ra,Kp,r2) from the receiving unit 201d, and 
generates decrypted additional information D (E (Ra, Kp, r2) , Ks) 
by applying a decryption algorithm to the received encrypted 
10 additional information E(Ra,Kp,r2) . Next, the decrypting unit 
202d outputs the generated decrypted additional information 
D(E (Ra,Kp, r2) ,Ks) to the information removing unit 203d. 

The information removing unit 203d receives the decrypted 
additional information D (E (Ra, Kp, r2) , Ks) from the decrypting 
15 unit 202d, and generates decrypted text m' from decrypted 
connected information D (E (F (m, Ra) , Kp, r ) , Ks) by using the 
received decrypted additional information D (E (Ra, Kp, r2 ) , Ks) . 
(Action of the cryptocommunication system Id) 

The action that the cryptocommunication system Idperf orms 
20 is described in the following with reference to the flowchart 
shown in Fig. 13. 

Since the action of the cryptocommunication system Id 
is mostly the same as that of the cryptocommunication system 
1, the focus in the following description is on their differences . 
25 The additional information generation unit 102d generates 



additional information Ra, and outputs the generated additional 
information Ra to the encrypting unit 105d (step S241) . 

The encrypting unit 105d receives the additional 
information Ra from the additional information generation unit 
5 102d, generates encrypted additional information E{Ra,Kp,r2) 
by applying an encryption algorithm to the received additional 
information Ra, and outputs the generated encrypted additional 
information E(Ra,Kp,r2) to the transmitting unit 106d (step 
S242) . 

10 The transmitting unit 106d receives the encrypted 

additional information E(Ra,Kp,r2) from the encrypting unit 
105d, and transmits the received encrypted additional 
information E (Ra, Kp, r2) through the internet 30 to the reception 
apparatus 20d (step S243) . 

15 The receiving unit 201d receives, from the transmitting 

unit 106d, the encrypted additional information E(Ra,Kp,r2) 
through the internet 30, and outputs the received encrypted 
additional information E (Ra,Kp, r2) to the decrypting unit 202d 
(step S243) . 

20 The decrypting unit 202d receives the encrypted additional 

information E(Ra,Kp,r2) from the receiving unit 201d, and 
generates decrypted additional information D (E (Ra, Kp, r2 ) , Ks ) 
by applying a decryption algorithm to the received encrypted 
additional information E(Ra,Kp,r2) . Then, the decrypting unit 

25 202d outputs the generated decrypted additional information 
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D(E (Ra,Kp, r2) ,Ks) to the information removing unit 203d (step 
S244) . 

The information removing unit 203d receives, from the 
decrypting unit 202d, the decrypted additional information 
5 D(E (Ra,Kp, r2) ,Ks) (step S245), and generates decrypted text 
m' from the decrypted connected information 
D (E (F (m, Ra) , Kp, r) , Ks) by using the received encrypted 
additional information D (E (Ra, Kp, r2) , Ks) (Step S246) . 
2.4 Feasible combination between modifications 

10 Feasible combinations between the modifications 

regarding the additional information, the modifications for 
the calculation of the connected information F(m, Ra), and the 
modification examples of the cryptocommunication system in 
which the additional information is shared are described in 

15 the following with reference to the table shown in Fig. 14. 

As the table in Fig. 14 shows, each modification for 
additional information (i.e. a random number, a time stamp, 
and a counter) can be used with all the modifications for 
calculating connected information F(m, Ra), or with the 

20 modification examples of the cryptocommunication system in 
which the additional information is shared. 

Further, as shown in Fig. 14, the modification in which 
ml |Ra is used for calculating the connected information is 
applicable to cryptocommunication systems l,and Ib-ld. 

25 In addition, among the modifications for calculating 
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connected information F (m, Ra) , m( + ) Ra^m+Ra,mxRa,modp^ Bit Perm 

[Ra] (m) , Tab [Ra] (m) methods, as shown in Fig. lA, are applicable 
to the cryptocommunication systems Ib-ld. 
3. Other modification examples 
5 So far, the present invention was described based on the 

embodiment . The present invention is not limited to the described 
embodiment, and also includes other cases described below. 

(1) The cryptocommunication system 1 may be structured 
in the following way. The one-way function unit 104 of the 

10 transmission apparatus 10 receives connected information 

F(m, Ra) from the information adding unit 103, hashes the received 
connected information F(m, Ra) according to the hash function 
h to generate a functional value h{F(m,Ra) ), and transmits the 
functional value h (F (m, Ra) ) , through the transmitting unit 106, 

15 the internet 30, and the receiving unit 201, to the comparing 
unit 205. 

The one-way function unit 204 of the reception apparatus 
20 receives decrypted connected information 
D(E{F(m,Ra) ,Kp,r) ,Ks) from the decrypting unit 202, hashes the 

20 received D(E{F{m, Ra) ,Kp,r) ,Ks) according to the hash function 
h so as to generate a functional value h (D (E (F (m, Ra) , Kp, r) , Ks) ) , 
and outputs the generated functional value 
h{D(E (F(m,Ra) ,Kp, r) ,Ks) ) to the comparing unit 205. The 
comparing unit 205 compares the functional value h(F(m,Ra)) 

25 and the functional value h (D(E (F(m,Ra) ,Kp, r) ,Ks) ) and judges 
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whether the two values match. 

In the above way, the judgement is performed as to whether 
or not the plaintext has been correctly decrypted, 

(2) Moreover, the cryptocommunication system 1 may be 
5 structured in the following way. 

The information adding unit 103 of the transmission 
apparatus 10, by using G which is a different invert ible operation 
from F, generates connected information G(m, Ra). Here, an 
example of G is G=Ra | |m. Next, the information adding unit 103 

10 outputs the generated connected information G(m,Ra) to the 
one-way function unit 104 . The one-way function unit 104 receives 
the connected information G{m,Ra) from the information adding 
unit 103, hashes the received connected information G(m,Ra) 
according to the hash function h so as to generate a functional 

15 value h (G (m, Ra) ) , and transmits the generated functional value 
h{G(m,Ra)), through the transmitting unit 106, the internet 
30, and the receiving unit 201, to the comparing unit 205. 

Further, the information removing unit 205 of the 
reception apparatus 20, by using the decrypted text m' , a random 

20 number Ra, and the connected information G, generates connected 
information G(m',Ra), and transmits the generated G(m',Ra) to 
the one-way function unit 204. Here, the information removing 
unit 203 shares the same random number Ra with the transmission 
apparatus 10, as shown in the first modification example. The 

25 one-way function unit 204 receives the connected information 
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G(m',Ra), hashes the received connected information G(m',Ra) 
according to the hash function h so as to generate a functional 
value h(G(m' ,Ra) ) , and outputs the generated functional value 
h(G(m',Ra) ) to the comparing unit 205. The comparing unit 205 
5 compares the functional value h(G(m,Ra)) and the functional 
value h(G(m',Ra) to see whether the two values match. 

In the above way, the judgment is performed as to whether 
or not the plaintext has been decrypted correctly. 
(3) The encryption algorithm and the decryption algorithm are 

10 not limited to those described in the embodiment, and other 
crypto-algorithms are also possible. For example, ordinary 
cryptosystems such as the DES cryptosystem, the RSA cryptosystem, 
and the ElGamal cryptosystem can also be used. 

In addition, for the one-way operation unit 104, 

15 cryptosystem functions used for the ordinary cryptosystems can 
be also used as well as the hash functions. 

For a detailed description about the DES cryptosystem, 
the RSA cryptosystem, and the ElGamal cryptosystem, please refer 
to Tatsuaki Okamoto, Yamamoto Hirosi, '^Gendai Ango" (Modern 

20 Cryptography) , Series/Mathematics in Information Science, 
Sangyo Tosho, 1997. 

Further, it can be also arranged so that each couple of 
transmitting users and receiving users can have a different 
one-way operation, instead of all the users in one system sharing 

25 one one-way operation. 
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(4) In the present embodiment, the transmission apparatus 
10 and the reception apparatus 20 are connected to each other 
through the internet 30. However, the means to connect the 
transmission apparatus 10 and the reception apparatus 20 is 

5 not limited to the internet, and can also be a dedicated line, 
or by over-the-air (wireless) communication. 

(5) The present invention can be the method described above, 
or can be a computer program enabling the method by a computer. 
Alternatively, the present invention can be implemented as 

10 digital signals comprised of the computer program. 

Further, the present invention can be a recording medium 
which can be read from by using a computer, such as a flexible 
disk, a hard disk, CD-ROM, MO, a DVD, DVD-ROM, DVD-RAM, or 
semiconductor memory, which stores the computer program or the 

15 digital signals. Alternatively, the present invention can also 
be the computer program or the digital signals recorded on these 
recording media. 

Further, the present invention can transmit the computer 
program or the digital signals through a network represented 

20 by electric communication lines, over-the-air, cable 
transmission lines, or the internet, for example. 

Further, the present invention can be a computer system 
that is equipped with a microprocessor and memory, in which 
the memory stores a computer program, and the microprocessor 

25 can work according to the computer program. 
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In addition, another computer system which is independent 
from the described computer system can realize the tasks, by 
transmitting the computer program or the digital signals stored 
in the recording media, or by transmitting the computer program 
5 or the digital signals through the network and the like. 
(6) The stated embodiment and the modifications thereof can 
be combined with each other. 

Although the present invention has been fully described 
by way of examples with reference to the accompanying drawings, 
10 it is to be noted that various changes and modifications will 
be apparent to those skilled in the art. Therefore, unless such 
changes and modifications otherwise depart from the scope of 
the present invention, they shouldbe construed as being included 
therein. 

15 
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